Listen to this Post
2025-05-19
Introduction:
Malware actors continue to evolve, blending legacy scripting with new tactics to evade detection. One recent discovery highlights how attackers are using AutoIT, a scripting language typically associated with automation on Windows, to conceal and deliver malware. The case involves a Remote Access Trojan (RAT) hidden behind two AutoIT script layers, making detection and analysis more difficult. The malware, likely associated with AsyncRAT and PureHVNC, showcases how traditional scripting tools can still be weaponized in modern cybercrime.
🚨 What Happened in This Attack? (Digest-style Overview)
Cybersecurity expert Xavier Mertens uncovered a malware dropper camouflaged as a file named “1. Project & Profit.exe”, a compiled AutoIT script. This file, once executed, initiates a series of actions that download and execute further malicious components. Here’s a breakdown:
Initial Payload: The executable contains hardcoded URLs and paths pointing to malicious resources, including a PowerShell script (PublicProfile.ps1), a second-layer AutoIT script (Secure.au3), and an AutoIT interpreter (Guard.exe).
Execution Chain: Once the first AutoIT layer runs, it writes and executes the PowerShell script and downloads the interpreter. The attack then progresses to the second layer, which is executed with help from a .url shortcut placed in the Startup folder to ensure persistence.
Obfuscation Tactics: The second AutoIT script, named “G”, is heavily obfuscated. It uses a custom function called Wales to encode its strings. For instance, when decoded, one string checks whether Avast antivirus is running on the victim’s machine.
Malware Deployment: Ultimately, the AutoIT script spawns jsc.exe and injects a malicious DLL named Urshqbgpm.dll. This final payload attempts to communicate with a C2 server (139[.]99[.]188[.]124:56001), which is linked to AsyncRAT, a well-known Remote Access Trojan.
HVNC Features: Analysis of the injected DLL reveals ties to PureHVNC, a malware toolkit offering hidden VNC functionality—allowing full remote control of a compromised system without showing any visible activity to the user.
The dual AutoIT layers serve to obfuscate behavior and frustrate traditional analysis, while the malware’s final capabilities point toward full system compromise with stealthy remote access.
🔍 What Undercode Say:
This attack highlights how simple scripting tools, like AutoIT, are still critical weapons in the malware development toolkit. Why AutoIT? Because it’s powerful, Windows-native, and easily compiled into executables—making it an excellent candidate for disguising malicious intent.
The initial AutoIT file doesn’t just act as a script; it’s a multi-stage dropper, designed to fetch and run additional malicious assets. Leveraging multiple AutoIT layers, attackers achieve two key things:
- Obfuscation: The use of encoded strings via the Wales function adds an extra layer of complexity for malware analysts.
- Persistence: Placing a
.urlfile in the Startup folder ensures the malware survives reboots and executes consistently.
Once decoded, the AutoIT logic shows clear awareness of anti-virus processes, like avastui.exe, meaning the malware tailors its execution depending on the system environment—classic behavior of adaptive RATs.
The final payload, executed via jsc.exe, hints at advanced capabilities. That filename is a legitimate Microsoft tool, so running it may help evade security tools. From there, the DLL injection strategy transfers control to a stealthy RAT, which likely includes screen monitoring, keylogging, and hidden remote desktop access using PureHVNC.
What makes this case particularly dangerous is the combination of simplicity and sophistication. AutoIT is rarely flagged by security systems because of its benign origins. Yet, attackers exploit this trust to carry out deeply intrusive surveillance.
The connection to AsyncRAT reinforces the idea that this is not a one-off script—it’s part of a wider infrastructure designed to control infected systems remotely. AsyncRAT is often sold in dark web forums, with features including credential theft, clipboard hijacking, and encrypted communications.
Moreover, the presence of PureHVNC suggests attackers want full, invisible control of machines, allowing them to spy, manipulate files, or pivot deeper into networks without any user awareness. That’s a red flag for enterprise environments, where lateral movement and credential harvesting can lead to larger breaches.
If
✅ Fact Checker Results:
The malware uses AutoIT scripts in a double-layered dropper format ✅
Final payload has characteristics of AsyncRAT and PureHVNC ✅
Obfuscation is achieved using a custom function and string encoding ✅
🧠⚠️💻
📈 Prediction:
Given the ease of use and stealth AutoIT offers, similar multi-layered droppers will likely surge. Threat actors will continue leveraging AutoIT to bypass traditional defenses and deploy remote-access payloads like AsyncRAT. As detection tools begin catching up, expect future variants to employ even deeper obfuscation, runtime unpacking, and integration with cloud-based C2 servers for resilience. Organizations should prepare for AutoIT becoming a recurring player in advanced persistent threats.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
